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Abstract — Fault analysis is a powerful attack to stream ciphers. 
Up to now, the major idea of fault analysis is to simplify the 
cipher system by injecting some soft faults. We call it soft fault 
analysis. As a hardware-oriented stream cipher, Trivium is weak 
under soft fault analysis. 

In this paper we consider another type of fault analysis 
of stream cipher, which is to simplify the cipher system by 
injecting some hard faults. We call it hard fault analysis. We 
present the following results about such attack to Trivium. 
In Case 1 with the probability not smaller than 0.2396, the 
attacker can obtain 69 bits of 80-bits-key. In Case 2 with the 
probability not smaller than 0.2291, the attacker can obtain 
all of 80-bits-key. In Case 3 with the probability not smaller 
than 0.2291, the attacker can partially solve the key. In Case 
4 with non-neglectable probability, the attacker can obtain a 
simplified cipher, with smaller number of state bits and slower 
non-linearization procedure. In Case 5 with non-neglectable 
probability, the attacker can obtain another simplified cipher. 
Besides, these 5 cases can be checked out by observing the key- 
stream. 

Index Terms — Side-channel analysis, fault analysis, stream 
cipher, Trivium 



I. Introduction 
A. Background and Results of Our Work 

Side-channel analysis of stream ciphers [1] is a class 
of novel attacks by combining physical and mathematical 
methods, including fault analysis 12), power analysis Q, 
timing analysis, etc. In the class of side-channel analysis, fault 
analysis is a powerful attack. Up to now, the major idea of 
fault analysis is to simplify the cipher system by injecting 
some soft faults (that is, by changing the values of some 
positions at some moment), thus revealing the key hidden in 
the encryption machine. We call such attack soft fault analysis. 
Soft fault analysis is a known differential attack [4], by which 
the attacker can obtain additional low-degree-equations of the 
state. Trivium Q, (6) is a hardware-oriented stream cipher, 
and one of the finally chosen ciphers by eSTREAM project, 
but it is weak under soft fault analysis J7), (8|. 

In this paper we consider another type of fault analysis 
of stream cipher, which is to simplify the cipher system by 
injecting some hard faults (that is, by setting the values of 
some positions permanently 0). We call it hard fault analysis. 
Such attack was presented by Eli Biham and Adi Shamir [9], 
used for breaking block ciphers. We present the following 
results about hard fault analysis of Trivium. In Case 1 with the 
probability not smaller than 0.2396, the attacker can obtain 69 
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bits of 80-bits-key. In Case 2 with the probability not smaller 
than 0.2291, the attacker can obtain all of 80-bits-key. In Case 
3 with the probability not smaller than 0.2291, the attacker 
can partially solve the key. In Case 4 with non-neglectable 
probability, the attacker can obtain a simplified cipher, with 
smaller number of state bits and slower non-linearization 
procedure. In Case 5 with non-neglectable probability, the 
attacker can obtain another simplified cipher. Besides, these 
5 cases can be checked out by observing the key-stream. 

The contents are organized as follows. Next subsection is 
an explanation to soft fault analysis and hard fault analysis. 
In section II we prepare for hard fault analysis of Trivium, 
including description of Trivium, our assumptions, notations, 
and some facts. In section III we present different features of 
fault injected machine, in 7 different cases. In this section we 
show that, in each of former 5 cases, either the key can be 
revealed, or the cipher can be practically simplified. In section 
IV we present an algorithm to identify the cases, by observing 
the key-stream. In this section we identify the former 4 cases 
with the probability closed to 1, and identify Case 5 with the 
probability no smaller than 4/5. Section V is the conclusion 
and future work expectation. 

B. Soft Fault Analysis and Hard Fault Analysis 

Soft fault analysis is based on soft fault injection. At a ran- 
dom moment of the encryption machine's driving procedure, 
the attacker changes the values of some random positions of 
the state. By the differential of the key-stream, the attacker can 
obtain several additional low-degree-equations of the state. 

Hard fault analysis is based on hard fault injection. The 
attacker makes the values of some random positions of the 
state permanently 0. That is, after hard fault injection, those 
injected bits can be read out as 0, but can no longer be written 
in. According to technical restriction, hard fault injection must 
be made before the encryption machine's driving procedure. 

Three comparisons between hard fault analysis and soft fault 
analysis are as follows. 

Comparison 1: Hard fault analysis is more practical than 
soft fault analysis. The main criticism against soft fault anal- 
ysis was the transient fault model that was claimed to be 
unrealistic [|9|. Hard fault injection is a current technique for 
micro-probing, and has already become real danger to cipher 
chip [ 1 1 . For example, DS5003 is a new product of Maxim. 
It is a secure microprocessor chip by using coating technique, 
for resisting hard fault injection. 

Comparison 2: Hard fault analysis is more expensive than 
soft fault analysis. Soft fault injection is assumed to be made 
by simple fault induction (special kind of light, magnetic 
disturbance, or other brute methods). Hard fault injection 
needs expensive FIB and related equipment. 
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TABLE I 

The key-stream generation algorithm 

Input: the initial state (sx, ■ • • , S28s)> 

the number of output bits N < 2 64 
Output: key-stream (zo, z±, Z2, ■ ■ ■ ,2jv) 

1 : for i = to N - 1 do 

2 : Zi <— S 6 6 + S93 + S162 + S177 + «243 + ^288 

3 : tl <— S66 + «9lSg2 + S93 + s 171 

4 : <2 <— «162 + S175S176 + «177 + S264 

5 : *3 <— S243 + S286«287 + «288 + «69 

6 : (si, • • ■ , S93) <— (*3, sx, ■ ■ ■ , S92) 

7 : (S94, • ■ ■ , S177) <— (ti, S94, ■ ■ ■ , SX76) 

8 : (sx78, ■ ■ ■ , S288) <— (*2, S178, • • • , S287) 

9 : end for 

Comparison 3: After soft fault analysis, an encryption 
machine can be returned back to the owner and be used again. 
On the other hand, after hard fault analysis, an encryption 
machine is destroyed, so that it seems meaningless to reveal 
the hidden key for this machine. By this, it may be considered 
that hard fault analysis is not as valuable as soft fault analysis. 
This may also be the reason for that hard fault analysis has 
sparsely appeared in the literature of stream cipher analysis. 

For Comparison 3, we argue that hard fault analysis is 
useful in some application scenes. One scene is that current 
key is used for decrypting the former plain-texts before they 
are outdated. Another scene is that the system has a weak 
key-renewal-algorithm, where current key can help to predict 
future keys. The third scene is that several machines share a 
common key, or have closely related keys. 

II. Preparation for Hard Fault Analysis of 
Trivium 

A. Trivium Key-Stream Generation and Trivium State Initial- 
ization 

The state of Trivium is 288 bits long, denoted as 
(si, • • ■ , S288)- The state is renewed by 3 combined NFSRs 
(Non-linear Feedback Shift Registers). The first NFSR is 93 
bits long, denoted as (si, • • • ,593). The second NFSR is 84 
bits long, denoted as (S94, ■ ■ • , S177). The third NFSR is 111 
bits long, denoted as (si7g, • • • , S28s)- Current key-stream bit 
is a linear function of current state. Table 1 is an equivalent 
algorithm for the key-stream generation. 

The key is 80 bits long, denoted as (k\,--- , fcgo), and 
is secret. IV (Initial Vector) is 80 bits long, denoted as 
(IVi,--- ,IVso), and is public. In other words, if anyone 
obtains an encryption machine, he can arbitrarily set the value 
of IV. Table 2 is an equivalent algorithm for the initial state 
generation. 

Table 1 and Table 2 show that, for key-stream generation 
and initial state generation, the state renewal is the same. In 
detail, let su j-\ denote the state bit at time t and position j, then 
Table 3 presents a clearer description for the state renewal. 

Lemma 1: [5], [6] Let (si, • ■ ■ , S2ss) denote the initial state 
(that is, the state at the time just before generating zq). Take 
{z , zi, Z2, ■ ■ ■ } as functions of (sx, • ■ ■ , S28s)- Then 

1) {zo, Z\, ■ ■ ■ , Z65} are 66 linear functions. 

2) {zqq, z 6 7, ■ • ■ , ZX47} are 82 quadratic functions. 



TABLE II 

THE INITIAL STATE GENERATION ALGORITHM 



Input: the state 

(sx,-- - ,593) «- (fcl, ••• , ^80,0, ••• ,0) 
(s 94 ,--- ,SX77) <- (IVi,-- - ,IV 80 ,0,-- - ,0) 

(SX78,--- ,S288) <-(0,--- ,0,1,1,1) 
Output: the initial state (sx, •• • , S28s) 

1 : for i=l to 1152 do 

2 : tx <— S66 + S91S92 + S93 + SX71 

3 : t2 <— S162 + SX75SX76 + S177 + S264 

4 : t 3 <— s 2 43 + S286S287 + S288 + «69 

5 : (sx,- • ■ , S93) «— (*3, SX, ■ •• , S92) 

6 : (S94, ■ ■ ■ , SX77) *— (*1,S94, ■ ■ • , SX76) 

7 : (SX78, ■ ■ • , S288) *— (t'2, Sirs, ••• , S287) 

8 : end for 

TABLE m 
THE STATE RENEWAL 



( s (t+l,l)> S (t+X,2). ■ ■ ' 1 s (t+l,93)) 
= ( s (t,243) + s (t,286) s (t,287) + s (t,288) + s (t,69) 1 s (t,l) 1 

s (t,l),--- ,S(t,92)) 

( s (t+l,94)> s (t + l,95)i ' ' ■ ) s (t+l,177)) 
= ( s (t,66) + s (i,91) s (i,92) + s (t,93) + s (t,X71) 1 

s (t,94). • ' ' 1 s (t,176)) 

( s (t+l,178)> s (t+l, 179)i ' ' ' 1 s (t+l,288)) 
= ( s (t,162) + s (i,175) s (t,176) + s (i,177) + s (t,264)i 

g (t,178). ' - ' 1 s (t,287)) 



3) {^148, ^149, • • • , Z213} are 66 cubic functions. 

4) Each of {z2i4, Z215, • • ■ , } is at least a quartic function. 
Lemma 1 shows such a weakness of Trivium that its 

non-linearization procedure is over slow. By knowing the 
key-stream, a large number of low-degree-equations will be 
obtained. 

B. Assumptions, Notations and Some Facts 

Suppose that the attacker obtains an encryption machine 
(or an encryption card, etc), equipped with Trivium. He wants 
to obtain the hidden key (k±, ■ ■ ■ , fego)- He makes hard fault 
injection. The hard fault bits are from random one of 3 NFSRs, 
and at random positions in this NFSR. At injecting moment, he 
can not control the positions of hard fault bits. After injection, 
he does not know the positions of hard fault bits. Then he 
set(/Vi, • • • , IV S o) = (0, • ■ • , 0). That is, for initial state 
generation procedure, the input state is 

(si, • • • ,s 93 ) «- (fci, • • • ,fc 80 ,0, • • • ,0), 

(>94, ••■ ,Si 77 ) <- (0, ••• ,0), 

(S178, ' ' ' ,S 2 8s) <- (0, •• ■ ,0,1, 1, 1). 

Then he starts up the machine (initial state generation and key- 
stream generation), and checks the output key-stream from 
this fault-injected machine. 

It is easy to see that our assumptions are quite trivial. 

Pl denotes the lowest position of injected faults. Ph 
denotes the highest position of injected faults. According to 
our assumptions, Ph and Pl fall into the same index set 
{1, • • • , 93}, or {94, • • • , 177}, or {178, • • • , 288}. P L is of 
the following 7 cases. 
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Case 1: 94 < P L < 162. 

Case 2: 178 < P L < 243. 

Case 3: 1 < P L < 66. 

Case 4: 163 < P L < 171. 

Case 5: 172 < P L < 176. 

Case 6: P L = 177. 

Case 7: other values of Pl, that is, 

67 < P L < 93 or 244 < P L < 288. 

It is clear that the probability of Case 1 is never smaller 
than 69/288=0.2396, that the probability of Case 2 is never 
smaller than 66/288=0.2291, and that the probability of Case 

3 is never smaller than 66/288=0.2291. Probabilities of Case 

4 and Case 5 are not clear, because we do not set detailed 
injection model. We can only say that these 2 probabilities 
are non-neglectable. The probability of Case 6 is never larger 
than 1/288=0.0035, and generally is far smaller than 0.0035. 

We call the input state the state at time 0, and sequentially 
rank the state at time 1, 2, • • • . By this ranking, the initial state 
(that is, the state at the time just before generating zq) is the 
state at time 1152. (s( t ,i), S(t,2), 1 ■ ■ , s (t,288)) denotes the state 
at time t. So that, for each m > 0, the key-stream bit z m has 
such a representation 

Z m = s (m+1152,66) + s ( m +1152,93) + s (m+1152,162) 

+ s (m+1152 : 177) + s (m+1152,243) + s (m+1152,288) • 

* denotes an arbitrary bit-value. 

Some simple facts about hard fault injection are as follows. 

Suppose j is a position of hard fault injected bit, where 
1 < j < 93. Then S( t J+m ) = for each (t, m) such that 
t > and < m < mm{93 - j, t}. 

Suppose j is a position of hard fault injected bit, where 
94 < j < 177. Then S( tJ+m ) = for each (t, m) such that 
t > and < m < min{\ll - j, t}. 

Suppose j is a position of hard fault injected bit, 
wherel78 < j < 288. Then S( tJ+m ) = for each (t, m) 
such that t > and < m < mm{288 - j, t}. 

III. Features of Fault Injected Machine in 7 Cases 

A. Features of Fault Injected Machine in Case 1: 94 < Pl < 
162 

Lemma 2: The state at time 27 is the follow. 

1) ( s (27,l), • ' ' ! s (27,93)) 

= (&43, • • • , he, k 6 7 + 1, &68 + 1, ^69, h , ■ ■ ■ , k 66 ). 

2) 0(27,94), • ' ' , S(27,161)) = (*,•■■ , *), and 
( s (27,162), ■ ■ ■ , 5(27,177)) = (0, ■ ' ' , 0). 

3) (S(27,178), ' ' ' 7 s (27,288)) = (0, ■ ' ' , 0). 

Lemma 3: 

1) For each t such that t > 27, 

( s (i+l,l), ' ' ' 7 s (t+l,93)) — ( s (i,69), s (i,l), ' ' ' ) s (t,92))- 

So that {(s( t l ), • • • , S( t . 93)), t > 27}has a period 69. 

2) For each t such that t > 27, 

(S(t,70)> ■ • • , s (t,93)) = ( s (t,l)> ' ' ' , s (t,24))- 

3) For each t such that t > 27, 

0(i,162), ' ' ' , 5( t ,288)) = (0, ' ' ' ,0). 

Lemma 2 and Lemma 3 are clear by gradually renewing the 
state (see Table 3), and by considering the state at time 0: 



( s (o,i), ' ' ' > s (o,93)) = ( fc i, ■ ■ ■ ,k so ,0, ■■■ ,0). 

( s (0,94), ■ ■ ■ , s (0,177)) = (0, • • • , 0). 
( s (0,178), • • • ,5(0,288)) = (0, ••• ,0,1,1,1). 

Proposition 1: Suppose 94 < P L < 162. Then the key- 
stream (zqziZ2 • • • ) has a period 69, where 

{ZQ, Zi, Z2, ■ ■ ■ , z 6s) 

= (kis, ^17, • • • , h,k 6 9, fces + l, ^67+1, k 66 , k 65 , ■ ■ ■ , k w ). 
Proof: By Lemma 2 and Lemma 3, z = S( 1152;66 ), 
zi = S(ii53,66), *2 = s_(ii54,66) ' ' ' • So that the key-stream 
(z ziZ2 • • • ) has a period 69. Again z = S( 1152)6 6) = 
5(27,45) = kis- Proposition 1 is proved. □ 

B. Features of Fault Injected Machine in Case 2:178 < Pl < 
243 

Lemma 4: The state at time 27 is the follow. 

1) ( s (27,l), ' ' ' , s (27,93)) 

= (^43, ' ' ' , &66, ^67 + 1, ^68 + 1, k 6 g, fci, ■ ■ ■ , k 66 )- 

2) (S(27,94), ' ' ' , 5(27,177)) 

= (fc 40 + k 65 k 66 + k 67 , fc 4 i + k ee k 67 + fc 68 , • • • , 

^53 + ^78^79 + &80, ^54 + ^79^80, 
^55,^56, •■■ ,^66,0, ••• ,0). 

3) (5(27,178), ' ' ' , s (27,242)) = (*,■"■ , *)■ 

4) (3(27,243)) ' ' ' ,5(27,288)) = (0, • • ■ ,0). 

Proof: We induce the state at time 27 by gradually 
renewing the state. 
The state at time 1: 

(s(i,i),"- ,s(i,93)) = {k<59,ki,--- ,kso,0, ■■■ ,0), 

0(1,94), ' ' ' , 5(1,177)) = (^66, 0, • • ■ ,0), 
(5(1,178), •• • ,5(1,288)) = (0, ••• ,0,1,1). 

The state at time 2: 

(5(2,1), • • • ,5(2,93)) = (kes + 1,^69, h, ■ ■ ■ , fc 80 ,0, • • • ,0), 

(5(2,94), ' ' ' , 5(2,177)) = ( fc 65, &66, 0, ■ • • ,0), 
(5(2,178), •• ' ,5(2,288)) = (0, • • ■ ,0,1). 

The state at time 3: 

(5(3,1), • • • , 5(3,93)) 
= (k 67 + 1, fc 68 + l,fc 6 9,fci, • • • , fc 80 ,0, • • • ,0), 

(5(3,94),- •• ,5(3,177)) = ( fc 64, &65, ^66, 0, • • • ,0), 
(5(3,178), ' ' ' , 5(3,288)) = (°, ■ ■ ' , 0). 

The state at time 12: 

(5(12,1), ' ' ' , 5(12,93)) 
= (&58, ' ' ' , ^66, ^67 + 1, ^68 + 1, ^69, k\, ■ ■ ■ , fc 8 o, 0), 
(5(12,94), ' ' ' , 5(12,177)) = (&55, ' ' ' , ^66, 0, ■ ■ ■ ,0), 
(5(12,178), ' ' ' , 5(12,242)) = (*, ' ' ' , *). 
(5(12,243), ' ' ' , 5(12,288)) = (0, ■ • ■ , 0). 

The state at time 13: 

(5(13,1), • • • , 5(13,93)) 

= (k 5 r, ■ ■ ■ , k 6e , k e7 + 1, k es + 1, ^69, fci, ■ ■ ■ , k$o), 

(5(13,94), ' ' ' , 5(13,177)) 
= (fc 54 + k 79 k SOl fc 55 , • • • , fc 6 6, 0, • • • ,0), 

(5(13,178), ' ' ' , 5(13,242)) = (*, ' ' ' , *). 
(5(13,243), ' ' ' , 5(13,288)) = (°, ■ ■ ■ , 0). 

The state at time 14: 

(5(14,1), • • • , 5(14,93)) 
= (&56, ' ' ' , ^66, ^67 + 1, ^68 + 1, ^69, h, ■ ■ ■ , fc 79 ), 

(5(14,94), ' ' ' , 5(14,177)) 
= (k 53 + /c 78 fc 7 9 + fc 8 0, ^54 + krgkso, &55, • • • , 
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fc 66 ,0, • • • ,0), 

(S(14,178)> ' ' ' 7 5(14,242)) = (*, • ' ' ! *)» 
(S(14,243)> ' ' ' > s (14,288)) = (0, ■ " " ) 0). 

The state at time 27: 

( s (27,l)> ■ ■ ■ j s (27,93)) 
= (&43, ' ' ' , k 6 6, k 6 7 + 1, ^68 + 1, ^69, ■ ' ' > &66), 

( s (27,94)7 ' ' ' 7 s (27,177)) 
= (fc40 + fc 65 /c 66 + fc 6 7, • • • , ^53 + ^78^79 + ^80, ^54 + ^79^80, 

^55," ' ,A;66,0, ••■ ,0), 
( s 27,178)> ' ' ' , S(27,242)) = (*,■' ' i *). 
( s (27,243) ; ' ' ' 7 s (27,288)) = (0, ■ ' ' ) 0). 

Lemma 4 is proved. □ 

Notice that 1) and 2) of Lemma 3 are still true for Case2: 
178 < Pl < 243. Now we present a definition. For each t such 
that t > 27, define a t+1 = s (t)66) + s {t , 91) s {t ^ 2 ) + s (ti93) . For 
each t such that < t < 27, define a t+ i = a t+ 7o- 

Lemma 5: 

1) For each t such that t > 27, 

(S(t+1,94), ' ' ' ; s (t+l,177)) 
= ( s (t,177) + a t+l, «(t,94), 1 ' ' ! s (t,176))- 

2) {a t+ i,i > 27} has a period 69, where 

(<l28j ■ ■ ■ j «96) = (&39 + ^64^65 + ^66, &38 + ^63^64 + 
&65, ' " ■ 7 ^1 + ^26^27 + &28, &69 + ^25^26 + &27, ^68 + 
1 + fc 2 4&25 + ^26, fc 67 + 1 + fc 2 3&24 + ^25, ^66 + ^22^23 + 
&24, ^65 + ^21^22 + &23, ' ' ' , &45 + fcl&2 + k 3 , k 4i + 
k 6 gki + k 2l k i3 + (k 6 $ + l)k 69 + ki, fc42 + (&67 + l)(&68 + 

1) + k 69 , k 41 + k e6 (k 67 + 1) + fc 68 + 1, k 40 + k 65 k e6 + 
ko 7 + l). 

3) {a t +i,t > 27} has a period 69. 

Proof: 1) is clear from Trivium state renewal. For each 
t such that t > 27, each j such that 1 < j < 69, s^t,j) = 

s (27,j-t+27(mod69)) ■ So that 

at+1 = «(t,66) + s (t,91) s (t,92) + S(t,93) 
= - s (t,66) + - s (i,22)S(t,23) + s (t,24) 

= S(27,24-t(mod69)) + S(27,49-t(mod69)) s (27,50-t(mo<i69)) 
+ s (27,51-t(mod69))- 

So that 2) is true, and 3) is immediate from 2). Lemma 5 
is proved. □ 

Lemma 6: Take the following changes for the state at time 

27. (S(27,i72), • • • ,5(27,177)) are changed as 

( s (27,172), ' ' ' , s (27,177)) 
= ( s (27,94) + a 27, s (27,95) + a 26, 1 " " , s (27,99) + a 22), 

and other positions of the state at time 27 are kept unchanged. 
Then 

1) For each t such that t > 33, (s(t,i),--- , S(t,m)) and 
( s (t,243), • ' ' , «(t,288)) are kept unchanged. 

2) The key-stream {z 9 z\Z2 ■ ■ ■ ) are kept unchanged. 
Proof: Proof: Notice that we are in Case 2: 178 < Pl < 

243, and that the state bits shift rightwards. So that Lemma 6 
is clear. □ 

Lemma 7: Take the state at time 27 as the changed value 
as described in Lemma 6. Then For each t such that t > 27, 
each j such that 94 < j < 177, S(t+78,.j) = «(t,j) + <H+n2-j. 
Proof: 



1) If 94 < j < 171 and t > 27, then t + 172 - j > 28, so 
that 

s (t+78j) = «(t+172-j,94) 

= s (t+171-j,171) + a t+172-j 
= S( t)J -) + Ot+172-j. 

2) If 172 < j < 177 and i > 33, then 156 < j - 6 < 171 
and t - 6 > 27. By 1), 

«(t+78,j) = «(t-6+78,j-6) 

= S(t-6,j-6) + a t-6+172-(j-6) 
= S(t,j) + Ot+172-j- 

3) If 172 < j < 177 and t = 27, then 94 < j - 78 < 99, 
so that S(27 + 78.j) = S(27.j_78). By the assumptions of 
Lemma 6, 

s (27+78j) = s (27j-78) 

= s (27,j) + a 27+172-j- 

4) If 172 < j < 177, 28 < t < 32, and j -{t- 27) < 171, 
then 167 < j - (t - 27) < 171. By 1), 

s (t+78,j) = «(27+78,j-(t-27)) 

= «(27,j-(t-27)) + fl 27+172-(j-(t-27)) 
= «(t,j) + Ot+172-j- 

5) If 172 < j < 177, 28 < t < 32, and j-(t- 27) > 172, 
then 172 < j - (t - 27) < 176. By 3), 

s (t+78,j) = «(27+78j-(t-27)) 

= s (27j-(i-27)) + «27+172-(j-(t-27)) 
= S(t,j) + Ot+172-j- 

Lemma 7 is proved. □ 

Lemma 8: Take the state at time 27 as the changed value 
as described in Lemma 6. Then 

1) For each t such that t > 27, each j such that 
94 < j < 177, 

22 

s (t+1794j) = S(t,j) + X! a t+34-J+3m- 
m=0 

2) {(s( t ,i), • • • , S(t,i77)), t > 27 > has a period 3358. 
Proof: According to Lemma 5, Lemma 6, Lemma 7 and 

the fact that 1794 = 78 x 23 = 69 x 26, 

s (t+1794j) = S( t+ 78x23j) 
Y^22 

— S (*>j) + 2^n=0 a t+172-j+78xn(mo(i69) 

- S (t,j) + 2^m=0 a *+34-j+3m, 

so that 1) is true. According to 1), for each t such that t > 27, 
each jsuch that 94 < j < 177, 

s (t+3588j) = s (t+1794+1794j) 

- S (t,j) + 2^m=0 a t+34-j+3m 
i Y^ 22 

+ Z^m=0 a t+1794+34-j+3m 
= S (t,j)- 

This implies that {(s( t . 94 ), • • • , S(t. 177)), t > 27} has a period 
3358. Again by the fact that {(s(t,i), ■ ■ ■ , S(t,93)),i > 27} has 
a period 69, 2) is true. Lemma 8 is proved. □ 
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Proposition 2: Suppose 178 < P L < 243. Then 1) For each t such that t > 92, 

1) The key-stream (zqZiZ 2 • • • ) has a period 3358. ( s (t,66)i • ' ' , s (t,93)) = (0, • • • ,0). 

2) {z , z u Z2, ■ ■ ■ , 23357} are linear functions of 216 vari- 2) For each t such that t > 98, 

ables ( s (t,172), • ' ' , S((,177)) = ( s (t,94), • • • , «(t,99))- 

(s(27,25).--- , 5(27,93), S(27,ioo),--- , S(27,i77), a 2 8, ■■ ■ .age), 3) {(s(t,94) , • ■ • , S(t,i77) ) , * > 98 has a period 78. 

and these functions are known. Proof: 1) is clear in Case 3. 2) and 3) are immediate from 

3) By knowing the values of {z , z\, z 2 , ■ ■ ■ ,23357}, the 1). □ 
attacker obtains 3358 linear equations of 216 variables Now we present a definition For each t such that t > 98> 

(5(27,25), " ' , 5(27,93), 5(27,100), " ' , 5(27,177)) a 28, ' ' ' , a 96ft- e fj ne 



The rank of these linear equations is 210, so that there 
are 2 6 = 64 possible solutions. 
Proof: 1) is clear from Lemma 8. Notice that for each t 
such that t > 27, 

(S(t+l,l), ■ ■ ■ j S(t+1,93)) = (S(t,69), s (t,l), ' ' ' , s (t,92))j 
( s (t+l,94), ' ' ' , S(t+l,177)) 
= ( s (t,171) + a t+l, S(t,94), ' ' ' , s (t,176))- 

So that, for each t such that t > 27,(s( t) i), • • • , S(t, 177)) can 
be induced from 

( s (27,25), ' ' ' , s (27,93), s (27,100), ' ' ' , s (27,177) , a 2S , ' ' ' ,096) 

by linear recursion which is already known. So that 2) is true. 
3) is our checking result. Proposition 2 is proved. □ 

Notice that the true value of 

( s (27,25) , ' ' ' , s (27,93) , 5(27,100) , ' 

satisfies 

( s (27,25), ' ' ' , 5(27,93)) 
= (fc 67 + 1, kes + 1, &69, kl, ■ 

and 

( s (27,100), ' ' ' , 5(27,177)) = ( fc 46 
&53 + k 7 $k 79 + &80, &54 + k 7 g &80, k 55 
&40 + k e5 k e6 + ^67 + «27, ' ' ' , &45 + ^70^71 + ^72 

These relations present another group of equations of 216 
variables 

( s (27,25), ' ' ' , s (27,93), 5(27,100), ' 

described as the follow. 

( s (27,109), ' ' ' , 5(27,171)) 
= ( s (27,82), ' ' ' , 5(27,93), 0, 
5(27,66) + 5(27,91)5(27,92) 



bt+1 = S(t,162) + s (t, 175)5(4,176) + S(t,177)- 

For each t such that < t < 98, define bt+i = &t+79. 
Lemma 10: 

1) For each t such that t > 98, 

(■5(4+1,178), ' ' ' , s (t+l,288)) 
= ( s (t,264) + bt+1, (S(i,178) • ' ' , 5(t,287))- 

2) {bt+i, t > 0}has a period 78. 

Proof: Lemma 10 is just similar to Lemma 5. 



□ 



, «(27,177),a28, 



, 096) 



k7ik72 



- ^73, ' ' 
, ^66,0, • 



,o, 

022) 



Lemma 11: Take the following changes for the state at time 
98. (s (98 ,265), • ' ' , S(98,288)) are changed as 

( s (98,265), ' ' ' , s (98,288)) 
= (5(98,178) + &98, S(98,179) + ^97, • ' ' , 5(98,201) + hb), 

and other positions of the state at time 98 are kept unchanged. 
Then 

1) For each t such that t > 122, (s( t ,66), " , s (t.288)) are 
kept unchanged. 

2) The key-stream (zqZiz 2 • • • ) are kept unchanged. 
Proof: Notice that we are in Case 3: 1 < Pl < 66, and 

that the state bits shift rightwards. So that Lemma 1 1 is clear. 

□ 

Lemma 12: Take the state at time 98 as the changed value 
as described in Lemma 1 1 . Then for each t such that t > 98, 



s (27,i77), «28, • • • , a96), each j such that 178 < j < 288, 



(t+87j) 



5 (M) +°*+265-j- 



,0), 

G28 = s (27,66) + 5(27,91)5(27,92) + 5(27,93), 
«29 = 5(27,65) + 5(27,90)5(27,91) + 5(27,92), 



^69 = 5(27,25) + 5( 27 , 5 o) 5(27,51) + 5(27,52), 
O70 = 5(27,93) + 5(27,49)5(27,50) + s (27,51), 
a 71 = 5(27,92) + 5(27,48)5(27,49) + 5(27,50), 

«94 = 5(27,69) + 5(27,25)5(27,26) + s (27,27), 
«95 = 5(27,68) + 5(27,93)5(27,25) + s (27,26), 
a 96 = 5(27,67) + 5(27,92)5(27,93) + s (27,25)- 

All these equations are enough to determine the true value of 

(5(27,25), •• ' , 5(27,93), 5(27,100), •• ' , 5(27,177) , a 28, " ' ,«96), 

so that enough to determine the value of (k\,--- ,k§§). 
Besides, all these equations can determine the value of 

(&68 fc 69 + &70, k 69 k 70 + k 71 , ■ ■ ■ , k 7s k 79 + k 80 ), 
so that determine the value of (fc 70 , • • • , fc 80 ). 

C. Features of Fault Injected Machine in Case 3: 1 < Pl < 
66 

Lemma 9: 



Proof: The proof of Lemma 12 is somewhat similar to 
that of Lemma 7. The proving details are the follow. 

1) If 178 < j < 264 and t > 98,then t + 265 - j > 99, so 
that 

s (t+87,j) = 5( t+ 265-j,178) 

= 5( t+ 264-j,264) + a t+265-j" 
= S (tJ) + fl t+265-j- 

2) If 265 < j < 288 and t > 122, then 241 < j-24 < 264 
and t - 24 > 98. By 1), 

5(t+87j) = 5( t _24+87,j-24) 

= 5(t_24,j-24) + a t-24+265-(j-24) 
= S (t,j) + a *+265-j- 

3) If 265 < j < 288 and t = 98, then 178 < j - 87 < 



201, so s (98+87j) 
Lemma 11, 



_§7). By the assumptions of 



5(98+87 j") — 5(98,j-87) 

= 5(98,j) + a 98+265-j- 

4) If 265 < j < 288,99 < t < 121, and j- (t- 98) < 264, 
then 242 < j - (t - 98) < 264. By 1), 

5(t+87j) = 5(98+87 ,j-(t-98)) 

= 5(98,j-(t-98)) + a 98+265-(j-(t-98)) 
= S( t j) + a t +265-j- 
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5) If 265 < j < 288,99 < t < 121, and j-(t-98) > 265, 
then 265 < j - {t - 98) < 287. By 3), 

s (t+87,j) = s (98+87j-(t-98)) 

= s (98j-(t-98)) + a 98+265-(j-(t-98)) 
= S(t,j) + Ot+265-i- 

Lemma 12 is proved. □ 

Lemma 13: Take the state at time 98 as the changed value 
as described in Lemma 1 1 . Then 

1) For each t such that t > 98, each j such that 178 < j < 

288, 

25 

5(4+2262 j) = S(tj) + ^ b t+ 3i- 1+ 3 m . 

m—0 

2) {(s(t, 94 ), • • • ,S(t,288),* > 98)}has a period 4524. 
Proof: According to Lemma 10, Lemma 11, Lemma 12 

and the fact that 2262 = 87 x 26 = 78 x 29, 

S(t+2262,j) = S(t+87x26j) 

= S (*>j) + En=0 ^t+265-j+87xn(mod78) 
= s (t,j) + Em=0 & t+31-j+3m, 

so that 1) is true. According to 1), for each t such that t > 98, 
each j such that 178 < j < 288, 

5(4+4524,j) = s (t+2262+2262 ,j) 

= S (t,j) + 2^m=0 °t+31-j+3m 
+ J2m=0 &t+2262+31-j+3m 
= S (t,j), 

This implies that {(s(4, 178 ), • • • , S( ti288 ),£ > 98)} has a period 
4524. Again by the fact that {(5(4,94), ■ ■ ■ 75(4,177), t > 98)} 
has a period 78, Lemma 13 is proved. □ 

Proposition 3: Suppose 1 < Pl < 66. Then 

1) The key-stream (z ziz 2 • • • ) has a period 4524. 

2) (zo, z\, Z2, ■ ■ ■ , Z4523) are linear functions of 243 vari- 
ables (S( 98i ioo), • • ■ , 5(98,177)7 s (98, 202), •• ' , 5(g 8>288 ), 

699, •• • , &i76), and these functions are known. 

3) By knowing the values of (z , z\, z 2 , ■ ■ ■ ,24523), the 
attacker obtains 4524 linear equations of 243 variables 

(S(98,100), ' ' ' , 5(98,177)7 s (98, 202), •• ' 7 s (98,288) 7 &99, ' ' ' 7 

&176). The rank of these linear equations is 237, so that 
there are 2 6 = 64 possible solutions. 
Proof: 1) is clear from Lemma 13. Notice that for each 
t such that t > 98, 

(5(4+1,94), ' ' ' , 5(4+1,177)) = ( s (4, 171), 5(4, g4), " ' , 5(4,176)), 
(5(4+1,178), ' ' ' , 5(4+1,288)) 
= ( s (4,264) + h+1, s (4,178), ' ' ' , s (4,287))- 

So that, for each t such that t > 98, (5(4,94), • • • , S( t , 288 )) 
can be induced from (s (98 , 100 ), • • • , s (98i i 77) , s (98>202) , ■ • • , 
s (98,288), ^997 ' ' ' 7^176) by linear recursion which is already 
known. So that 2) is true. 

3) is our checking result. Proposition 3 is proved. □ 

Notice that the true value of (s(g 8l ioo), " ' " , s (98.i77); 
s (98,202), • ' ' , 5(98,288) 7 &99,-" , &i7e) satisfies 78 non-linear 
equations, described as the follow. 



^99 = 5(98,162) + 5 
&100 = S( 



,175)5(98,176) + s (98,177), 
161) + 5(98,174)5(98,175) + 5(98,176), 



&161 = 5(98,100) + 5(9 8 ,113)S(9 8 , 114 ) 4- S( 98 , 115 ), 
^162 = 5(98,177) 4- 5(98,112)5(98,113) + s (98,114), 
&163 = 5(98,176) + S(98,lll)S(98,H2) + S(g 8 ,ii3), 

^174 = 5(98,165) + 5(9 8; 100)5(98,101) + S (9 8 ,102), 
°1T5 = 5(98,164) + s (98,177) s (98,100) + 5(g 8 ,ioi), 
^176 = 5(98,163) + 5(9 8 , 176)5(g 8 , 177) + S(g 810 o)- 

78 non-linear equations and 4524 linear equations are 
enough to determine the true value of (s(g 8 , 10 o), • • • , 
5(98,177), ^99> • ■ ■ j &176)- They are not enough to determine the 
true value of (s( 98l2 02), ■■• , 5(98,288)) because, in each linear 
equation, just 2 variables of (s( 98 .202)7 ' • ■ , 5(g 8 ,288)) appear. 
After that determination, 4524 linear equations become the 
linear equations of 87 variables (s(g 8 , 2 02)7 ■ ■ ■ , 5(g 8 , 288 )), and 
we have verified that the rank of these linear equations is 
86. This fact restricts (s(9 8 , 202 ), • • • , S(g 8 , 288 )) into 2 possible 
values. 

Then we redefine {a t +i, t > 0}. For each t such that t > 0, 

at+i = S(4,66) +5(4,gi)S(4,g 2 ) +S(t,g 3 ). By considering Lemma 
9, a t+ i = for each t such that t > 92. 

Lemma 14: 

1) ( s (98,g4)7 • • • 7 5(98,177)) = (^20, ^19, ' " " , «15, ^14 + 092, 

ffli3 + agi, • • • , a\ + a7g, a7 8 , 077 • • • , ais). 

2) (5(98,178), • ' ' , 5(98,288)) = («29, «287 ' ' ' , «1 , 0, • - • ,0, 

&98 + «29, &97 + «28, ' ' ' , &75 4- a 6 ). 

(this is the changed value according to Lemma 11) 

Proof: We induce the state at time 98 by gradually 
renewing the state. 

1) (5(78,94), 5(7 8 ,177)) = (a 78 , a 77 , • • • , a x , 0, • • • , 0), 
(5(84,94), ' ' ' , 5(84,177)) = ( a 6 + 084,05 + «83, 1 ' ' , 

0-1 + «79, 078,^77, ' ' ' , »l), 
( s (92,94), ' ' ' , 5(92,177)) = ( a 14 + 0-92, «13 + «91, ' ' ' , 

«1 + ^79, «78, ^77, ' ' ' , 09), 
(5(98,94), ' ' ' , 5(98,177)) = ( a 20, «19, ' ' ' , «15, «14 + a 92 , 
«13 + a 91, ' ' ' ,0,\+ a 7 g, a78, 077, • • • , (I15). 

2) (S(69,178), ' ' ' , 5(69,288)) = (0, • ' ' , °), 

( s (78,178), ' ' ' 7 5(78,288)) = ( a 9, «8, ' ' ' , ^1,0, • ■ ■ , 0), 
( s (98,178)7 ' ' ' 7 5(98,288)) = ( a 29, «28, ' ' ' , «1, 0, • • • ,0). 

But the value of ((s( 98 ,265), • ■ ■ ,5(98,288)) is changed 
according to Lemma 11, so that 

(5(98,178), ' ' ' 7 5(98,288)) = (^29, a 28 , ■ • ■ , ffll, 0, • • • ,0, 
&98 + 029, &97 + 028, ' ' ' Mh + 

Lemma 14 is proved. □ 

Lemma 14 shows (s( 98 , 2 o7), «(98,208), • ' ' , s (98,264)) = 
(0, • • • ,0). This fact and all former equations are enough to 
determine the true value of (s( 98 ,202), • ■ ■ , S( 98 ,288))- 

Up to now, 243 variables {s (98 ,i o), ■ • • , S(98,i77), 5( 98 ,202), 
• ' ' 7 5(98.288)7 ^997 ' ' ' 7 ^176} have already been uniquely de- 
termined. According to Lemma 14, the attacker can solve the 
value of (ai,a 2 ,-- - , a 92 ), which is the closest to the key 
(k\,--- ,kso). (ai,a 2 ,-- - , a 92 ) is an unknown function of 
(fei, • • • , fc 8 o), because hard fault positions are unknown. But 
(ffll, a 2 , • • • , ag 2 ) can partially reveal the key, as described in 
Proposition 4 and Proposition 5. 
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Lemma 15: Suppose the indices of hard-fault-injected-bits 
are not from the set {j, j + 1, • ■ ■ , j + m}, where 1 < j < 
j + m< 93. Then s (mJ+m) = s (0j) . 

Proposition 4: Suppose 1 < Pl < 66. Suppose a t +i = 1 
for some t such that < t < 11. Then 

(ai,a 2 , •■■ = (foe, fees,-" ,^66-*)- 

Proof: Notice that 

( s (0,81), s (0 : 82), ' ' ' , s (0,93)) = (0, • • ■ , 0), 

so that 

( s (0,91) s (0,92) + «(0,93), S(i ) 9i)S(i ) 92) +s (l,93), ■ • ■ , 
s (12,91) s (12,92) + s (12 : 93)) = (0) " " " ) 0), 

and that 

(ai,a 2 , • • • , a 12 ) = (S(o,66), s (l,66), " " > s (12,66))- 

Suppose a t+1 = 1 for some t such that < t < 11, then 
the indices of hard-fault-injected-bits are never from the set 
{66 — t, 67 — t, ■ ■ ■ , 66}, or else there would be a contradiction. 
According to Lemma 15, 

(ai,a 2 , • • • , a*+i) = (s(o,66), s (i,66), 1 " " , s (t,66)) 

= ( s (0,66), s (0,65), ' ' ' 7 s (0,66-t)) 

= (&66, ^65, • • • , fcee-t)- 
Proposition 4 is proved. □ 

Proposition 5: Suppose 1 < Pl < 66. Suppose a t +i = 1 
for some t such that 67 < t < 91. Then 

1) (ai, a 2 , • • • , oi 2 ) = (fc 66 , fc 65 , • • • , £55)- 

2) ai3 = fc 54 + k 79 k sa . 

3) Either a) or b) is true, where 

a) a u+ i = fc 66 _„ + fc 9 i_ u fcg2- u + fcg 3 _ M for 13 < 
w < t — 27, and a v+ i = kgi- v k 9 2-v + ^93-1, for 
65 < v < t-2. 

b) a u+ i = fc 66 _„ + k gl _ u k 92 - u for 13 < u < t - 27, 
and a v+ i = k 9 \_ v k 9 2- v for 65 < v < t — 2. 

Proof: By the assumption " 1 < Pl < 66" we know that 

0(65,66), s (66,66), ' " " , 3(91,66)) = (0, • • " , 0), SO that 
{a-66, 0-67, ■■ ■ , a 92 )= (S(65,91) s (65,92) + s (65,93), 
s (66,91) s (66,92) + s (66,93) , ' " ' i s (91,91) s (91,92) + s (91,93))- 

Suppose a t+ i = S( t ,9i)S(t,92) + S( t , 93 ) = 1 for some t such 
that 67 < t < 91, then the indices of hard-fault-injected- 
bit are never from the set {93 — t, 94 — t, ■ ■ ■ , 92}, or else 
there would be a contradiction. Notice that (oi , a 2 , • • ■ ,012) = 

( s (0,66), s (l,66), 1 " " > s (ll,66))- So that 

(ai, a 2 , • • • , ai 2 ) = (s(o,66), s (i,66), ■ ■ ■ , s (n,66)) 

= ( s (0,66), S (0,65), ' ' ' , s (0,55)) 
= (fc66,^65,-" ,^55)- 

a 13 = s (12,66) + s (12,91) s (12,92) + s (12,93) 
= s (0 : 54) + s (0,79) s (0,80) + s (0 : 81) 
= fc 54 + k 79 k 80 . 

1) and 2) are true. 

Now suppose that 93 is not an index of hard-fault-injected- 
bit. 

For each u such that 13 < u < t — 27, we have 93 — t < 

66 - u < 91 - u < 92 - u < 93 - u < 80, so that 

O-u+l = S(u,66) + s (tt,91) s (tt,92) + s (m,93) 

— s (0,66-m) + s (0,91-m) s (0,92-m) + s (0,93-m) 

= kee-u + k 9 i- u k 9 2- u + fcg 3 _ u . 



For each v such that 65 < v < t — 2, we have 93 — t < 
91 - v < 92 - v < 93 - v < 28, so that 

+ l = s (v,66) + s (-u,91) s (-u,92) + s (t>,93) 
= s (vm) s (v,92) + s (-u,93) 
= S(0,91— u)S(0,92-ti) + S(o,93_„) 
= k 9 \- v k 9 2- v + fc93-t>- 

a) is true. 

Now suppose that 93 is an index of hard-fault-injected-bit. 

Then S( . 93) = s (li93 ) = • • • = S( 91)93 ) = 0. 

For each u such that 13 < u < i — 27, we have 93 — t < 
66 - u < 91 - u < 92 - u < 79, so that 

°u+l = S(u,66) + s (m,91) s (m,92) + «(m,93) 
= s (u,66) + s (m,91) s (m,92) 
= s (0,66-u) + s (0 : 91-m) s (0,92-m) 
= ^66-ti + ^91-11^92— u- 

For each v such that 65 < v < t — 2, we have 93 — t < 
91 - v < 92 - v < 27, so that 

a v + i = S^^q + S( t)) 9i)S( t)) 92) + S( t , j93 ) 
= s (-u,91) s (-u,92) 
— s (0,91— u) s (0,92-ti) 
= ^91-t)^92-t)- 

Proposition 5 is proved. □ 

D. Features of Fault Injected Machine in Case 4: 163 < Pl < 
171 

Proposition 6: Suppose we are in Case 4: 163 < Pl < 171. 
Then 

1) For each i such that t > 0, 

(«(t, 171), •• ' ,S(t,177)) = (0, ••■ ,0), 

so that generation of the key-stream (z ziZ2 • • • ) is 
degraded as 

Zt = s (t+1152,66) + s (t+1152,93) 

+ s (t+1152,162) + s (t+1152,243) + s (t+1152,288) , * > 0- 

and the state is degraded into 273 bits 

( s (t,l)' S (*,2)7 ' ' ' , s (t,162), s (t,178); s (t,179); ' ' ' 7 S (t,288))- 

2) The state renewal is the follow. 

( s (t+l,l)i s (t+l,2)i ' ' ' ! s (t+l,93)) 
= ( s (t,243) + s (t,286) s (t,287) + S(t,288) + s (t,69), 
s (t,l), ■ ■ ■ , S(i,92)), 

( s (t+l,94), s (t+l,95)7 ' ' ' i s (t+l,162)) 
= ( s (t, 66) +S(t,9l)S(i,92) + S(t, 93), «(t, 94), " ' , S(t,161)), 

( s (t+l,178), s (t+l,179), ' ' ' , s (t+l,288)) 
= ( s (t,162) + s (t,264), s (t,178), ' ' ' , s (t,287))- 

3) The state renewal is reversible, and the inverse is the 
follow. 

( s (t,l), s (t,2), ' ' ' , S(t,93)) 
= ( s (t+l,2) , s (t+l,3) , ' ' ' , s (t+l,93) , 

s (t+l,67) + s (t+l,92)S(t+l,93) + s (t+l,94)), 
( s (t,94), «(t,95), ' ' ' , «(t,162)) 
= (S(i+1,95)> s (t+l,96), ' ' ' , s (t+l : 162), 
s (t+l,178) + S(t+l,265))i 
( s (t,178), S(t,179)> ' ' ' , s (t,288)) 
= (S(t+l,179)j s (t+l,180), ' ' ' , S( t +1,288), 

s (t+l,244)+ s (t+l,287) s (t+l,288)+ s (t+l,l)+ S (t+l,70))- 
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4) Change the IV (Initial Vector) from (IVi, ■■■ , IV m ) = 
(0, • • • ,0) to the follow: IVj = for each j such that 
1 < j < 80, except IV70 — 1. Then the key-stream 
(z ziz 2 • • • ) are kept unchanged. 

Proposition 6 is clear by considering Trivium key-stream 
generation and Trivium state renewal. The following Proposi- 
tion 7 is our checking result. 

Proposition 7: Suppose we are in Case 4: 163 < Pl < 
171. Let (si, • • • , si62, si78, • • • j s 28s) denote the initial state 
(that is, the state at the time just before generating z ). Take 
{z ,zi, z 2 , ■ ■ ■ } as functions of (s 1} ■ ■ ■ , s 162} s 178 , ■■■ , s 2 s 8 ). 
Then 

1) {zo, zi, ■ ■ ■ , Z65} are 66 linear functions. 

2) {z e(i , zqt, ■ ■ ■ , Z159} are 94 quadratic functions. 

3) {^160, zi6i, • • • , ^228} are 69 cubic functions. 

4) Each of {z 2 29, z 23a , • • • } is at least a quartic function. 

Proposition 6 and Proposition 7 present a simpler cipher 
than Trivium. It has a smaller number of state bits and a slower 
non-linearization procedure. So that it is easier to solve the 
state at a fixed time. If the state at a fixed time is known, the 
key will be known by reversing the state. 

E. Features of Fault Injected Machine in Case 5: 172 < Pl < 
176 

Lemma 16: Suppose we are in Case 5: 172 < Pl < 176. 
Then 

1) For each t such that t > 5, 

0(t,176), s (t,177)) = (0,0). 

2) Suppose m is the earliest time such that, for each t > m, 

( s (t, 176)7 s (t, 177)) = (0,0). Then for each t > m, we 
have 

a) The state is degraded into 282 bits 

( s (t,l)> s (t,2), ■ ■ ■ , S( t , 171), «(t, 178), s (t, 179)7 •• ' 7 
s (t,288))- 

b) State renewal is the follow. 

(S(t+l,l), S(t+1,2), • • • 7 s (t+l,93)) 
= ( s (t,243) + s (t,286) s (t,287) + s (t,288) + s (t,69)7 
s (t,l)' ' ' ' 7 s (t,92))7 

( s (t+l,94)7 s (t+l,95)7 ' ' ' 7 s (i+l,171)) 
= ( s (t,66) + s (t,91) s (t,92) + s (t,93) + s (t,171) 7 
s (t,94), ' ' ' , S( t) i70)), 

( s (t+l : 178)7 s (t+l, 179)7 ' ' ' 7 s (t+l,288)) 
= s (t,162) + S( t: 264)7 s (t, 178)7 ' ' ' 7 s (t,287))- 

Lemma 16 is clear by considering Trivium key-stream 
generation and Trivium state renewal. Notice that state renewal 
procedure in Lemma 16-2)-b) is irreversible. 

Lemma 17: Suppose m is the earliest time such that, for 
each t > m, (s( M 76), S(t,i77)) = (0,0). Then 

1) For each t such that t > m + 1, 

s (t,163) + s (t,178) + S(t,265) = °- 

2) For each t such that t > m + 2, 

S(i,164) + s (t,179) + s (t,266) = 0. 

9) For each t such that t > m + 9, 



s (t,171) + s (t,186) + s (t,273) = 0. 

Proof: By Lemma 16 we know that, for each t such that 

t>m+l, 

s (t,163) = S(t-1, 162)7 

s (t,178) = s (i-l,162) + S(t-1,264)7 

s (t,265) — s (i-l,264). 

So that 1) is true. Again for each t such that t > m + 1, 

s (t,163) + s (t,178) + s (t,265) 
= s (t+l,164) + s (t+l,179) + S(t+1,266) 

— s (t+8,171) + s (t+8,186) + «(t+8,273)- 

So that 2), 3), • • • ,9) are true, by considering 1). Lemma 
17 is proved. □ 

Proposition 8: Suppose we are in Case 5: 172 < Pl < 176. 
Then 

1) Generation of the key-stream (z ziz 2 • • • ) is degraded 
as 

z t = S(t+1152,66) + s (t+1152,93) 

+ s (t+1152,162) + s (t+1152,243) + s (t+1152 : 288) 7 1 > 0. 

2) Suppose m is the earliest time such that, for each t > m, 

( s (t,i76)7 s (t,i77)) = (0, 0). Then for each t > m + 9, we 
have 

a) the state is degraded into 273 bits 

( s (t,l)> s (t,2)7 • • • 7 s (t, 162)7 s (t, 178)7 s (t, 179)7 " ' 7 
s (*,288))- 

b) The state renewal is the follow. 

S(t+l,2)i • • • 7 s (t+l,93)) 
= ( s (t,243) + s (t,286) s (t,287) + s (t,288) + s (t,69)7 
s (t,l)' " ' s (t,92))7 
( s (t+l,94) ; s (t+l,95)7 ' ' ' 7 s (t+l,162)) 
= ( S (t,66)+ S (t,91) s (t,92)+S(t,93) + S (t,186)+ S (t,273)7 
s (t,94)7 ' ' ' 7 s (t,161) ) 7 
( s (t+l, 178)7 s (t+l, 179)7 ' ' ' 7 s (t+l,288)) 
= ( s (t,162) + «(t, 264)7 «(t, 178)7 ' ' ' 7 s (t,287))- 

c) The state renewal is reversible, and the inverse is 
the follow. 

( s (t,l)7 s (t,2), • • • , S(i,93)) 
— ( s (t+l,2) 7 s (t+l,3) 7 ' ' ' 7 s (t+l,93) 7 

s (t+l,67) + s (t+l,92) s (t+l,93) + s (t+l,94) + 

s (t+l,187) + s (t+l,274))7 

(«(t,94), S(t, 95 ), • • • , S(t,162)) 
= ( s (t+l,95)7 s (t+l,96)i ' ' ' 7 S (t+l,162)7 

s (t+l,178) + s (t+l,265))7 

( s (t, 178)7 s (t, 179)7 ' ' ' 7 s (t,288)) 
= ( s (t+l, 179); s (t+l, 180); '• ' 7 s (t+l, 288) 7 s (t+l : l) + 
S(t+1,70) + s (t+l,244) + S(t+l,287) s (t+l,288))- 

3) Change the IV (Initial Vector) from (IVi, ■ ■ ■ ,IV S0 ) = 
(0, • • • ,0) to the follow: IVj = for each j such that 
1 < j < 80, except JV79 = 1. Then the key-stream 
(z ziz 2 ■ ■ ■) are kept unchanged. 

Proof: 1) is clear. 2) is a natural corollary of Lemma 16 
and Lemma 17. 3) is clear. □ 

The following Proposition 9 is our checking result. 
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Proposition 9: Suppose we are in Case 5: 172 < Pl < 
176. Let (si, • • • , si62, Si78 ; • • • , S28s) denote the initial state 
(that is, the state at the time just before generating z ). Take 
{zo,zi, z 2 , ■ ■ ■ } as functions of (s lt ■ ■ ■ , s 162 ,s 178 , ■■■ , S2ss)- 
Then 

1) {z , zi, ■ ■ ■ , z 65 } are 66 linear functions. 

2) {z 6(i , zqt, ■ ■ ■ , zi 59 } are 94 quadratic functions. 

3) {zieo, ziei, ■ ■ ■ , z 228 ] are 69 cubic functions. 

4) Each of {Z229, ^230, • • • }is at least a quartic function. 

Proposition 8 and Proposition 9 present a simpler cipher 
than Trivium. It has a smaller number of state bits and a slower 
non-linearization procedure. So that it is easier to solve the 
state at a fixed time. If the state at a fixed time is known, the 
state at time 14 will be known by reversing the state, described 
in Proposition 8 (we know that 14 > m + 9, where m is the 
earliest time such that, for each t > m, (s( t 176 ), S( t 177)) = 
(0,0)). 

Now suppose that the state at time 14 is known. We know 
that (fa,--- ,k 79 ) = (S(i4,i5),s(i4,i6),-" ,S(i4,93))- T hen , if 

m < 5, fcso = 5(13,93) = s (14,67) + s (14,92) «(14,93) + s (14,94) + 

s (i4,i87) + s (i4,274), according to Proposition 8. If m = 5, the 
value of fc 80 can not be determined. 

F. Features of Fault Injected Machine in Case 6: Pl = 177 
Proposition 10: Suppose we are in Case 6: Pl = 177. Then 

1) Generation of the key-stream (zqZ\z 2 ■ ■ ■) is degraded 
as 

Zt — s (t+1152,66) + S( t +1152,93) 

+ s (t+1152,162) + s (t+1152,243) + s (t+1152,288) 1 1 > 0. 

2) the state is degraded into 287 bits 

( s (t,l)' s (t,2)i ■ ■ ■ , S( t ,176)) s (t,178), s (t,179), ' 1 ' ; s (t,288))- 

3) The state renewal is the follow. 

(S(t+l,l))S(i+l,2), ' ' ' 7 «(t+l,93)) 
= ( s (t,243) + s (t,286) s (t,287) + s (t,288) + s (t,69); 
s (t,l)i ■ ■ ■ j s (t,92)), 

( s (t+l,94)i s (t+l,95)i ' ' ' i s (t+l,176)) 
= ( s (t,66) + s (t,91) s (t,92) + s (t,93) + s (t,171)7 
s (t,94), ■ ■ ■ , S(t,175)), 

( s (t+l : 178) ; s (t+l,179)i ' ' ' 7 S(t+1,288)) 
= ( s (t : 162) + s (t,175) s (t,176) + s (t, 264)7 
s (t,178); ' ' ' ! s (t,287))- 

4) Change the IV (Initial Vector) as (JVi,--- ,IV 78 ) = 
(0,--- ,0), and (IV 79 ,IV sa ) ^ (0,0). Then the key- 
stream (z ziz 2 ■ ■ ■ ) are kept unchanged. 

Proposition 10 is clear. Notice that state renewal is irre- 
versible. 

G. Features of Fault Injected Machine in Case 7: 67 < Pl < 
93 or 244 < P L < 288 

Case 7 has many features similar with former cases. Here 
are some examples. 

If 244 < Pl < 264, the features are similar to those of 
Case 4. 

If 265 < Pl < 287, the features are similar to those of 
Case 5. 



If Pl = 288, the features are similar to those of Case 6. 
If 67 < Pl < 69, the features are similar to those of 
Case 4. 

If 70 < Pl < 92, the features are similar to those of 
Case 5. 

If Pl = 93, the features are similar to those of Case 6. 

IV. Cases Checking 

In this section we present an algorithm, to check the case 
by observing the key-stream (z ziz 2 ■ ■ ■). We firstly define 6 
features for (z ziz 2 ■ ■ ■). 

Feature 1: (z Zi ■ ■■ , z 6 $) = (z 69 z 7a ■ ■ ■ z 137 ). 

Feature 2: (z Zi ■■ ■ , z 3357 ) = {z 335& z 335g ■ ■ ■ z 67 i 5 ). 

Feature 3: (zqZi • • • , Z4523) = (^4524-24525 • ■ • ^9047)- 

Feature 4: Change IV 7 o from to 1, then (z ziz 2 ■ ■ ■ z 2 g 7 ) 
are kept unchanged. 

Feature 5: Change IV 79 from to 1, then 
(20^1^2 • • • Z287) are kept unchanged. 

Feature 6: Change IVso from to 1, then 
(z n ziz 2 ■ ■ ■ z 2 87)are kept unchanged. 

Then we point out some facts, as the follow. 

1) In Case 1, (zqziz 2 • • • ) satisfies Feature 1. 

2) In Case 2, {zqZ\z 2 ■ ■ ■) satisfies Feature 2. 

3) In Case 3, (z ziz 2 ■ ■ ■) satisfies Feature 3. 

4) In Case 4, (z z\z 2 ■ ■ ■) satisfies Feature 4. 

5) In Case 5, (z z\z 2 ■ ■ ■) satisfies Feature 5. 

6) In Case 5, {z ziz 2 ■ ■ ■) may or may not satisfy Feature 
6. 

7) In Case 6, (z ziz 2 ■ ■ ■) satisfies both Feature 5 and 
Feature 6. 

Then we present some natural assumptions, described in the 
follow. 

1) If the case is not Case 1, (z ziz 2 ■ ■ ■) satisfies Feature 
1 with a neglectable probability. 

2) If the case is neither Case 1 nor Case 2, (z z 1 z 2 • • • ) 
satisfies Feature 2 with a neglectable probability. 

3) If the case is not from Case 1, Case 2, Case 3, 
[zqZ\z 2 • • • ) satisfies Feature 3 with a neglectable prob- 
ability. 

4) If the case is not from Case 1, Case 2, Case 3, Case 4, 
{z 9 z\z 2 • • • ) satisfies Feature 4 with a neglectable prob- 
ability. 

5) In Case 7, (z ziz 2 ■ ■ ■ ) satisfies Feature 5 with a ne- 
glectable probability. 

6) In Case 7, (z ziz 2 ■ ■ ■ ) satisfies Feature 6 with a ne- 
glectable probability. 

Algorithm Suppose that the attacker has obtained the key- 
stream {zqZ\z 2 ■ ■ ■), from a hard-fault-injected machine. 

1) If {zqZ\z 2 • • • ) satisfies Feature 1, take the case as 
Case 1. 

2) If {zqZ\z 2 ■ ■ ■) does not satisfy Feature 1, but satisfies 
Feature 2, take the case as Case 2. 

3) If {zqZ\z 2 ■ ■ ■ ) does not satisfy each from Feature 1, 
Feature 2, but satisfies Feature 3, take the case as 
Case 3. 
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4) If (zqZ\Z2 - ■ ■) does not satisfy each from Feature 1, 
Feature 2, Feature 3, but satisfies Feature 4, take the 
case as Case 4. 

5) If [zqZ\Z2 - ■ ■) does not satisfy each from Feature 1, 
Feature 2, Feature 3, Feature 4, but satisfies both Feature 
5 and Feature 6, take the case as from Case 5, Case 6. 

6) If (zqZ\Z2- ■ ■) does not satisfy each from Feature 1, 
Feature 2, Feature 3, Feature 4, Feature 6, but satisfies 
Feature 5, take the case as Case 5. 

7) If (zqZ\Z2 - ■ ■) does not satisfy each from Feature 1, 
Feature 2, Feature 3, Feature 4, Feature 5, Feature 6, 
take the case as Case 7. 

Under our natural assumptions, Algorithm selectes wrong 
cases with a neglectable probability. In step 5) of Algorithm, 
we can also take the case directly as Case 5. The probability 
of mistake is no more than 1/5. 

V. Conclusion and Future Work 

From all of the discussions above, it is clear that Trivium is 
weak under hard fault analysis, with our trivial assumptions. 

Hard fault injection will lead us to continue our work. 
One future work is combined fault analysis of Grain. Grain 
is another hardware-oriented stream cipher, and one of the 
finally chosen ciphers by eSTREAM project. We find Grain 
much stronger under either soft or hard fault analysis. We 
will combine hard fault injection and soft fault injection, 
looking for weakness of Grain. The second future work is 
the study under weaker assumptions. One weaker assumption 
is that, after fault injection, the values of those injected bits 
are permanently or 1. 
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